Several vulnerabilities have been discovered in Rails, the Ruby webapplication framework. The Common Vulnerabilities and Exposures projectidentifies the following problems:

CVE-2009-4214

A cross-site scripting (XSS) vulnerability had been found in the strip_tags function. An attacker may inject non-printable characters that certain browsers will then evaluate. This vulnerability only affects the oldstable distribution (lenny).

CVE-2011-2930

A SQL injection vulnerability had been found in the quote_table_name method could allow malicious users to inject arbitrary SQL into a query.

CVE-2011-2931

A cross-site scripting (XSS) vulnerability had been found in the strip_tags helper. An parsing error can be exploited by an attacker, who can confuse the parser and may inject HTML tags into the output document.

CVE-2011-3186

A newline (CRLF) injection vulnerability had been found in response.rb. This vulnerability allows an attacker to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.

For the oldstable distribution (lenny), this problem has been fixed inversion 2.1.0-7+lenny1.

For the stable distribution (squeeze), this problem has been fixed inversion 2.3.5-1.2+squeeze1.

For the unstable distribution (sid), this problem has been fixed inversion 2.3.14.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/

Several unauthorised SSL certificates have been found in the wild issuedfor the DigiNotar Certificate Authority, obtained through a securitycompromise with said company. Debian, like other softwaredistributors, has as a precaution decided to disable the DigiNotarRoot CA by default in the NSS crypto libraries.

As a result from further understanding of the incident, this updateto DSA 2300 disables additional DigiNotar issuing certificates.

For the oldstable distribution (lenny), this problem has been fixed inversion 3.12.3.1-0lenny6.

For the stable distribution (squeeze), this problem has been fixed inversion 3.12.8-1+squeeze3.

For the unstable distribution (sid), this problem has been fixed inversion 3.12.11-2.

We recommend that you upgrade your nss packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/

The apache2 Upgrade from DSA-2298-1 has caused a regression thatprevented some video players from seeking in video files served byApache HTTPD. This update fixes this bug.

The text of the original advisory is reproduced for reference:

Two issues have been found in the Apache HTTPD web server:

CVE-2011-3192

A vulnerability has been found in the way the multiple overlappingranges are handled by the Apache HTTPD server. This vulnerabilityallows an attacker to cause Apache HTTPD to use an excessive amount ofmemory, causing a denial of service.

CVE-2010-1452

A vulnerability has been found in mod_dav that allows an attacker tocause a daemon crash, causing a denial of service. This issue onlyaffects the Debian 5.0 oldstable/lenny distribution.

The regression has been fixed in the following packages:

For the oldstable distribution (lenny), this problem has been fixedin version 2.2.9-10+lenny11.

For the stable distribution (squeeze), this problem has been fixed inversion 2.2.16-6+squeeze3.

For the testing distribution (wheezy), this problem will be fixed inversion 2.2.20-1.

For the unstable distribution (sid), this problem has been fixed inversion 2.2.20-1.

We recommend that you upgrade your apache2 packages.

This update also contains updated apache2-mpm-itk packages which havebeen recompiled against the updated apache2 packages. The new versionnumber for the oldstable distribution is 2.2.6-02-1+lenny6. In thestable distribution, apache2-mpm-itk has the same version number asapache2.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/